2015 Security Prediction #2: Credit Card Theft Transforms
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
Credit card theft transforms into personal identity dossiers.
Because the amount of money is so huge, we will continue to see credit card theft grow and accelerate in 2015. Most of these thieves are still trying to figure out ways to move faster through the conversion window as cards get flagged by issuers more quickly and outright cancelled by the issuing banks. Chip and PIN technology (if it ever gets here) will no doubt slow down the opportunity stream which will cause attackers to get even more sophisticated in how they pursue their craft even as they find more and different ways to steal the cards.
Because of this rapid decline in value, we think that criminals will look to increase ways to improve the value of the information they can grasp for a longer period of time. This will lead us to tuned malware directed at ancillary information beyond raw credit card details like more complete user identities for things like customer loyalty programs and in-store promotions and related data. By collating that data with say, medical record information like address, social security and mother’s maiden name, they can begin to assemble highly valuable personal profiles.
If I can get Jane Doe’s credit card data for gasoline or retail purchases in the 94080 area code along with Jane’s medical records from the South San Francisco Kaiser Permanente Medical Center, I am in a larger and much more profitable business with a longer lead time for discovery. I still contend the breach at the Community Hospital in Tennessee was part of a larger scheme directed at just this sort of data gathering activity.
We believe that we will see growth in the theft of apparently unrelated data in both multiple credit cards based in regional geographies and personal information from data stores in correlated facilities like hospitals, medical centers and doctors’ groups. We also think these attackers will begin using Big Data tools which are broadly available in Open Source to create a smart Criminal Cloud, containing millions of personal dossiers worth potentially much more than simple credit card data available on online card marts.
This should be a compelling reason for Hospitals and Medical Groups to immediately move to implement advanced threat protection and for retail merchant groups and banks to move more swiftly in implementing Chip and PIN technology. It will be interesting to see how long it takes and/or what event will eventually serve as the tipping point to drive the message home.
Risk and Financial Crime Compliance Professional (Views are personal)
10 年That was a very thought provoking article. The entire cards process is only as strong as it's weakest link in the chain. The sooner the EMV implementation the better. Data security has emerged as the basic proposition.
Zonal Manager at ICICI Bank
10 年In India Central Bank (RBI) has mandated to introduce chip and pin cards.
Security is a matter of engineering, not compliance. Co-author NIST SP 800-160 Volume 1.
10 年Wow, do a little research. Chip N Pin support, which is part of a protocol known as EMV, is being mandated on retailers by Oct 2015 (pay at the pump in 2017). Apple Pay, and its Droid equivalent, are part of EMV. Additionally, major credit cards are shifting liability to retailers in order to incentivize the adoption of EMV (new PoS terminals are backwards-compatible) and to get retailers to otherwise improve their security.
Good article. Moreover with the emergence of IOT, major risks are rising for the healthcare industry wich would lead to tremendous data breaches and correlation between data sets.
Helping Launch Innovative Products and Services in AgTech, GovTech, IoT, AI, Privacy and CyberSecurity
10 年A very compelling commentary that personal data will be the currency of the cybercriminal in 2015. It's time for any facility managing sensitive data to start thinking differently about protection. It's been well documented that malware can easily bypass traditional antivirus. Time to rethink protection.